Alarm system Inspired by Babak Javadi presentation December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Honeywell ADEMCO December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Honeywell ADEMCO Uses both wired and wireless communication (345 MHz – non encrypted) December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Wireless zone – Device state ID sent by the device • 3 key pieces of Data • Serial Number • Loop • Status (Wake – Check-in – Low Battery • Same is used by every RF Device • Sensors (door opening, glass break…) • Keypad and Keyfob • S/N Unique per device • Non changeable • Enrolled during programming December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Wireless zone – RF Data acquisition December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Wireless zone – RF Data structure • RF Loop • Devices have up to 4 loops • Loops operate independently December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Wireless zone – RF Data structure • Four Status Bits • B : Low Battery • S : Supervisory • W : Wake-up /power-up (new battery) December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Hardwired zone – wiring structure December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – Hardwired zone • EOL Resistor Placement • The location is IMPORTANT ! • EOL means « End Of Line » for a good reason • Tamper detection is very difficult December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – Installer code December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – Shortsighted Architecture • Weak PIN Authentification • Fixed length : 4 Characters • Tiny character length : 0 to 9 only • Special funtion • User access level inquiry • Minimal attack resistance • Crude RF jamming detection • No attack resistance on wired ECP Bus December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – ECP Bus shortcomings • Unencrypted • Shared copper • Allows eavedropping • Interception of keystrokes • Minimal attack resistance • No brute force detection / no command lockout • Allows automated / scripted attacks December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – Attacking via ECP Bus – Brute Force December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – Attacking via ECP Bus – Brute Force This vulnerability feature is available only on the commercial version December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – Hardwired zone • Wire Management • Exposed wires : bad • Visible wiring • Sloppy wiring • Lazy wiring December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – RF zone • 1/ Supervised RF transmitters (door opening, motion sensor, glass breaking…) • Unencrypted low power one way devices • Transmit only while the state changes • Transmit « check-in » signal every 4 hours • 2/ Unsupervised RF transmitters (keyfobs) • Mostly unencrypted low power one way devices • Attack vectors • Eavedropping • Jamming • No detection in old receivers, Off by default in new (45 seconds interval and a lot of false positive) • Replaying / Spoofing December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – RF zone bidirectionnal • Bidirectionnal RF transmitters (keypads) • Keypads • Unencrypted keypads use « House ID » , 00 to 31 (checking from the panel) • New Encrypted keypads likely use Kelloq • Keeloq • Rolling code encryption by Microchip • Used by cars, garage door openers… • Broken in 2007 December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
System weaknesses – Panel to central office • Honeywell systems : two part authentification • Suscriber account number • HEX • 4 bytes • Unique per customer • Central Station Identification • HEX • 8 bytes • Uniqueness unknown • ADT systems • Subscriber Account Number • Special release of compass software December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
• Careful and proper installation • Hide your wires • Protect your wires • Don’t use RF devices • Know your weak points • Protect power source • Avoid physical access to key devices December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Motion and Opening detector • Radiowave motion detection • Infrared motion detection • Function : AND • Detected with a compass or a Gaussmeter • NO/NF • Shortwired with a remote switch December 2013 – Alexandre TRIFFAULT http: //www. frenchkey. fr
Скачать презентацию Alarm system Inspired by Babak Javadi presentation December
5a9b4455ba5d77a2976edb4149bcadaf.ppt